I have been thinking on this from a long time. Referred to the documentation and white papers of few products. I found that heuristics is not used by default. Only if there is a suspicion, heuristics is used to verify whether it is a variant. How AV identifies that a file is to be checked using heuristics when it is relying on signatures? I guess it applies DNA and cloud labeling only when heuristics flags the file.
Please read fully the paper "malicious code detection technologies" by Alisa shevchenko from Kaspersky labs. The paper is freely available via internet search. Your doubts will be cleared much better.
